Five Ways You Help Keep the University Secure Part One: Protect Your Accounts

November 18, 2019

by UNH IT Staff

Photo of a keyboard with a button entitled protect

This article is part one of a five-part series on Five Ways You Help Keep the University Secure. In this article, we discuss the importance of protecting your accounts.  

When you help protect the University's data, you also help protect your privacy and personal data. Think about it: if cybercriminals breach secure data at UNH, your information is among the many thousands of identities that could be compromised or stolen. As University employees, we all need to work collectively to ensure everyone's data (students, faculty, staff, parents, alumni) remains secure.

This month's article focuses on how to protect your accounts. These simple strategies work both for your work and personal accounts.

Keep Work and Home Separate

It's tempting to use your UNH email for personal communications and as a means to sign-up for online accounts and services. After all, it makes life simple, as you'd only need to check one inbox, and you'd only have one password to remember. But it's essential to maintain a clear separation from your work and your accounts. As a reminder, your UNH email is subject to a Freedom of Information Act requests or litigation hold. If you use this email address for personal emails, all messages, including those that are personal, are subject to search, which could compromise your privacy.

Keeping work and home separate also applies when it comes to the usernames and passwords used for online accounts. Work accounts include your UNH username and email, along with any associated passwords. Personal accounts are those associated with services like Gmail, Netflix, social media accounts, and your bank account.

To maintain this separation, you should never:

  • Use your UNH username or email address as the sign-on for your accounts.
  • Use the same password for work accounts and personal accounts 

 UNH Information Technology also recommends never using your UNH email as the email address of record for individual accounts. This separation protects your UNH account from being compromised in the event of a data breach at another company.

Use a Unique Password for Every Account

This rule is tough, but it's essential to ensure that if one of your accounts gets compromised, it doesn't result in a field day for cybercriminals. You should apply this rule to your work and personal accounts. For example, say you use your UNH email and password for online banking. If your UNH email gets compromised by a phishing attack, the hackers will likely try these same credentials to see if they can access your bank account. In short, if cybercriminals hack one of your accounts, the use of unique passwords will cut your losses.

Use Strong Passwords

If you follow the new USNH Password Policy for all of your accounts, whether it's at work or home, you'll be in good shape. Strong passwords are at least 14 characters in length and may contain capital letters, lowercase letters, numbers, and symbols. You should consider using passphrases over traditional passwords. If you substitute letters with numbers and symbols, it will be easier to remember. For example, the password idrivearedsportscar can be transformed into 1dr1v3a[]redsp0rtsc4r. This password is still easy to remember (especially if you do drive a red sports car). Still, it is harder for robots and cybercriminals to guess. It's also important to avoid using dictionary words and common password creation schemes, which typically contain a capital letter as the first character and an exclamation mark as the last. You should also avoid iterative passwords, which are those that are essentially the same password with a different number or character at the end. 

Use a Password Manager 

If we follow the unique-passwords-for-each-account rule, we're suddenly in a position where we have to remember many passwords. Password Managers are applications that manage all your username/password combinations in a secure, encrypted location (often on your device) called a password vault. The vault stores the necessary information to sign into all of the different sites you use at work and home. It takes the work out of using a different password for every account or service. While UNH IT does not recommend a particular password manager, a quick Google search will lead you to services such as LastPass and Dashlane.

Whenever and Wherever Possible, Use Multi-Factor Authentication

Let's talk about identity for a moment. There are three types of factors or standards of evidence used to confirm that you are who you say you are:

  1. Knowledge: Something You know. This characteristic includes passwords, a security question, or private identity information such as your Social Security Number or the amount of your last deposit.
  2. Possession: Something You Have. This category includes your device's signature, a code provided via phone, or a physical key or token.
  3. Inherence: Something You are. This factor includes your fingerprint, retina scans, or a biometric scan.

Good security practices use a combination of at least two of these factors. For example, ATMs require a bank card (something you have) and a PIN (something you know) for access. 

Most banks require the use of multi-factor authentication to access their online banking system, in addition to your username and password. To access the system, you'll enter your credentials, followed by a code sent to your phone or email. Fingerprints are another way some banks add multi-factor authentication to your account. 

Multi-factor authentication makes it difficult for cybercriminals to access your account because it requires a combination of factors – like something you know (your username and password) and something you have (the phone to which a code is sent). With MFA enabled, even if the cybercriminal has your username and password, they can't necessarily access your account because they don't have your phone. 

Currently, the USNH WISE system and Webcat both require multi-factor authentication s part of the login process, which helps keep University data safe. You should consider employing multi-factor authentication for your accounts whenever and wherever it is offered.

 Next month, we'll discuss how to protect your devices.



Bookmark and Share